Cyberspace is not a physical location; neither is “the internet”, or “the web”. It is worth bearing this in mind when listening to various people pontificating on whether or not “real world” law does or should apply to these “places”. William Gibson’s original definition when he coined the term Cyberspace is still accurate; like a corporation1, day to day we all pretend that this mental construct has an actual reality in the universe instead of being a metaphor for a complex form for human interaction2.
The reality is that when you sit down in front of your computer in Scotland, or anywhere else in the world, you are instructing a stream of electrical pulses containing the data you put in to go through a spider-web of cables to another computer, let’s say your ISP based in England. The information you send instructs that computer in turn to send more electrical pulses across the network to more computers spread across the world, each calculating a suitable path using a range of algorithms and routines to eventually reach the final destination, say a computer in the USA, which finally lights up its screen with your vital message: “LOL”.

But this marvellous, yet ubiquitous, wonder of the modern age- surely it is so new and unprecedented that no laws can yet bind it, there can be no previous model that matches it? No, on both counts. There is a previous model of communication almost identical in design – the universal postal service. Just like its C19th predecessor, the internet takes a message from one location, transports it through a route of network of processing stations in locations that the users neither know nor care about, to arrive at the final addressed destination. With a couple of centuries of analogous law, whether using Civil Law principles, or Common Law precedent, topped up with equally well established telegraph and telephony law plus whatever special rules a country might choose to add, there is instantly a full legal regime in place to cover whatever actions anyone might perform “in cyberspace”.

Once you realise this, a whole lot of apparently complex legal conundrums immediately become quite clear. You upload your manuscript to a publicly accessible server for people to download and read; for the purposes of copyright the “place of publication” must therefore be the physical location of that server, because that is where copies are sent from. You send a defamatory message, you commit the wrong in the location you are in but the damage occurs where it is received. These are all straight forward applications of existing legal rules.

But what if you hack into someone’s computer to deliberately cause damage? Especially if it is in another country? Well then we look to the criminal law, and the immediate analogy is the postal bomb. In that case prosecution might be where you make and send it from, or where it detonates; also if you are a citizen of neither, the country of your citizenship may also claim jurisdiction. Exactly the same can apply to criminal acts committed “in cyberspace”.

But what if instead of a bomb you send a whoopee cushion? What if it is an item legal in the place it is sent from but illegal at the destination? What if you send a message, which is legal in your country, to a server in another country where it is also legal, but which automatically republishes it all around the world including to a country where it is illegal?

This is where the speed and ease of internet communications and of reproduction of communications make a difference from physical mail systems. Most people know where in the world a physical postal item is going – it’s at the bottom of the address. IP addresses being strings of numbers, it might not be apparent what the physical location is3, and an apparently simple, non-criminal act in you own home could be an international crime. Or like Gary MacKinnon, an action that is a minor offence at the location where you do it (couple of years imprisonment maximum, if that) leaves you facing extradition to a foreign country for trial in an alien legal system to face life imprisonment in maximum security if convicted4.

So while the transmission of messages over the internet is easily compared with the postal system, the other element being the ease in which messages can be reproduced, republished, or altered with or without the original authors knowledge or consent also needs looked at. Here again we have a well established, internationally recognised, field of law that applies – copyright. After a couple of centuries of international argument there is a core of copyright law giving certain minimum rights to the authors of works around the world – or at least the 165 countries signatory to the Berne Convention. Add in the internationally accepted rules on contracts to cover agreements between parties licensing reproduction, and that is everything sorted bar enforcement?

Well, yes and no. The problem is that the internet started off as a communication system for the military and academia, both of which culturally are strong on attribution and transfer of information but weak on copyright enforcement. As the internet expanded, this cultural apathy to copyright law became a strong thread in “internet culture”, which developed into two parallel streams: those who believe that “I can do anything I want with anything on the internet” (wrong), and the open source & “copyleft” movements (which are fascinating applications of existing law which is worth several blog posts to themselves). At the same time traditional media businesses saw a threat to their existing revenue models and sought stronger regulations and changes to copyright law in as many jurisdictions as they could manage but without these changes working through to international treaty law.

This means that if you create content, and you have the inclination and money to enforce this internationally, the law is there which allows you to do so. However the weakness is definitely the enforcement aspect. Ironically the very changes which the traditional media businesses sought mean that if they breach your copyright it may well be worth your while suing them while it would not be worth pursuing many of the “new media” businesses.5

The other problem with content is while the rules on who owns the rights to use content are internationally accepted, the rules on whether the content is legal or is some sort of civil harm to someone else vary widely from place to place.

Let us consider defamation, causing harm to someone’s reputation for which one may be found liable in damages. In Common Law jurisdictions the position is more complicated due to the distinction between “slander” and “libel” depending on whether a transitory or permanent (for given values of both terms) means of communication are used. Being in Scotland where this distinction does not apply, I’ll leave it to someone else in a relevant jurisdiction to discuss at length the complications that creates there.

The problem in essence here is that there is no international standard for treatment of such communications. Not even the defence of “veritas” i.e. that a message is a truthful statement of facts is a guarantee that no legal comeback can exist. For example in Scotland (not uniquely) we have the delict of convicium, that a communication (possibly truthful) is being brought into public without good cause in such a manner as to hold someone up to public ridicule. Therefore if you send out a message that gives you no civil or criminal liability in your own country, you may not know that is true in the country it is received in. Of course if it does make you legally liable in your own country, you can hardly be surprised when your own country’s legal system holds you to account.

Equally, a person who repeats an injurious message may also be held liable: whether this is automatically done by your computer equipment or manually done, whether the message can be removed on a complaint being received, whether you make any alteration to the message, all can affect liability. If you own an internet server which simply passes on the data packets as part of normal internet traffic, without you having any knowledge of what it is, it is unlikely that you can have any liability. 6 Likewise if you provide a service which simply automatically republishes messages from users you should not have any liability – although if your system retains the message for future re-examination there may be issues relating to having to remove these on complaint. If however you selectively republish messages, then you are making a deliberate choice whether or not to pass this on and you have a responsibility for that action.

However, with the quick turnaround of messages, these can spread over hundreds of legal jurisdictions within a day. This is therefore an area where the problem may not be that there is no law, but there are too many conflicting laws that present a maze to traverse before enforcing through courts, during which time that message is “out there” doing its harm.

There are two obvious solutions. Firstly the internet savvy user may choose extra-judicial solutions – no, not physical violence but fighting communication with communication. Stories and reputation are the “native currency” of users in the non-existent land of Cyberspace, and with a good retort or counter-story a victim may well have become the victor in terms of reputation long before any court can consider the matter. The alternative is to “cut at the head” and raise legal action against the main person (probably the originator) who put out the message. Of course the message is still circulating out there but you include that in the claim for damages – except that if the originator has no money you can’t get blood out of a stone. That means other people who have got money and passed the message on might be brought into the firing line. There’s no point trying to get a court order (interdict or injunction depending on jurisdiction) because only some jurisdictions accept “against the world” orders, others (like Scotland) will only apply them against the parties you specify, and once the genie is out of the bottle you could be looking at hundreds of thousands of people across the world, if not millions, who have or might pass the message on.

Another approach to regulation is to use another well established international system: contract law. Because people in different countries have been making contracts with each other since…well as long as there have been different countries, the rules are there to already. If you are providing a service in Cyberspace, you can set contractual terms as to how people use that service. Every internet user will have come across these contractual rules already – they are the “Terms of Service” or “Terms of Use” that websites contain. These can, and should, contain a “Choice of Law” clause which says all use of the service is subject to the jurisdiction of X, usually the place the service provider is based but not necessarily. This will cover the interactions between users of the service, and also between users and service provider, but not third parties. So if a social media site were to say something “This is a free speech site; all users accept that they have no legal rights of action against anyone in the world for what is said here”, if the jurisdiction that contractually controls that site agrees that is enforceable then no user can sue any other user or the service provider. However, this does not affect criminal acts (which is between a user and their state) or claims by third parties who are not users.

So, Cyberspace is not a lawless frontier but simply an international system than is covered by a multitude of previously existing and new laws. The problem is having so many laws in different countries each covering a tiny bit of the “whole”. Getting international standardisation is unlikely since governments within individual countries have enough difficulty deciding what the rules should be and there is no chance that even the majority of the worlds governments can agree a common approach. If they did, based on attempts at legislation even in so called “free countries” it is likely that it would be some form of repressive approach that the majority of internet users would object to and actively oppose ultimately making it unenforceable without ending the whole internet as we know it.

Of course countries could pass laws exempting Cyberspace activities from usual rules of that country, or replacing them with different rules. But this would again be on a country by country basis, not on Cyberspace as a whole. Of course if a country passes law making a certain type of internet activity easier to carry out, such a ruling out certain types of legal action against users and/or actively making it difficult for other countries to take legal action against users or the service provider, that may very well provide an incentive for businesses to locate in that country, or at least ensure that country has jurisdiction. Back to William Gibson again7 -“Data haven” anyone?

4. At this point I would take this opportunity to remind all server operators, especially the US security services, to CHANGE THE DEFAULT PASSWORDS on your systems. Even though unauthorised access to your system is illegal in your country, not taking even basic security precautions is like leaving your doors and windows wide open to the world.

5. Those who live by the writ, die by the writ.

6. Of course there are countries which want Internet Service Providers to monitor traffic, and possibly inspect data to make sure it doesn’t contain undesirable information. Whether we would be happy to have similar laws having our postal service tell the government the amounts of mail we receive from various senders, or even steam open our envelopes to report of what they contain I leave to you to consider.

7. Actually he wasn’t the first to use this term, but his books did a lot to popularise it.